Authorization WTF



  • You may think this is fake, but it is not.

                string user;
                try
                {
                    user = CurrentPerson.UserName;
                }
                catch (Exception)
                {
                    user = "Admin";
                }

     Found in production code...



  • Where do you start to criticise this one.

    Fish... Barrel...
     



  • Wow.  That is beautiful.



  • I don't see the problem with this code at all...:s



  • @dmsuperman said:

    I don't see the problem with this code at all...:s

    That's because the code has made you go blind. 



  • This is Front Page Post material if ever i saw it, good pickup



  • @mannu said:

    You may think this is fake, but it is not.

                string user;
                try
                {
                    user = CurrentPerson.UserName;
                }
                catch (Exception)
                {
                    user = "Admin";
                }

     Found in production code...

    So let's see if I can name all the WTFs in this one... (will probably miss one or two)

    • Silently swallowing all exceptions. Since .NET doesn't distinguish errors from regular exceptions like java does, this thus includes framework zomg-fatal errors (if those are even catchable). (Seriously, when will these incompetent people understand that exceptions are meant to be exceptional.
    • Handling the exception "fail-lazy" instead of "fail-secure" (how hard is it to say: "HEY IDIOT LOG IN KTHX" and go back to login screen?).
    • Using try/catch where if (CurrentPerson != null) would do (assuming UserName is a field or simple property (can't be a method - no ()), so only possible exception is NullReferenceException - others possible if the property is a WTF that does a million other things first). As far as my experience with .NET is with exceptions, they are expensive CPU-wise (but that might be just in the debugger) and thus shouldn't be thrown about lightly..
    • Hardcoding the name 'Admin'. Bonus points if this is actually an admin-level account. More bonus points if it is not, and even more bonus points if there is no actual account named 'Admin'. If anything, it should've been "FILE_NOT_FOUND".
    • The forum using craploads of nonbreaking space entities to format that paste instead of just shoving it in a preformatted block.

    I think that should cover it.



  • assuming UserName is a field or simple property (can't be a method - no ()

    Well... .NET allows for all kinds of calls in a getter, so for all we know it's calling a slew of databases. In my opinion, this is both a nice feature, and a relatively big gun to shoot oneself in the foot with.



  • Admin is actually a basic level user with minimal rights.  Security by obscurity!



    • Silently swallowing all exceptions. Since .NET doesn't distinguish errors from regular exceptions like java does, this thus includes framework zomg-fatal errors (if those are even catchable). (Seriously, when will these incompetent people understand that exceptions are meant to be exceptional
    Except, oddly enough, for Java's permission handling.  Almost all (one or two AWT things excepted) of the checking methods on the SecurityManager are void.  If the permission isn't there, it throws a PermissionException.  "Hey, can this user see the system properties?"   "DIE!!!!"


  • Next, we'll see:

    "The Windows password you entered is incorrect.  Now logging you in as Administrator so you can reset your password..."



  • @Saladin said:

    Next, we'll see:

    "The Windows password you entered is incorrect.  Now logging you in as Administrator so you can reset your password..."


    Didn't Microsoft Bob do something like that?  After three login failures, it would let you reset your password?

Log in to reply